Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects HAPPY: from n/a through 1.0.10.
AnalysisAI
Broken access control in the HAPPY WordPress helpdesk and support ticket plugin (versions through 1.0.10) by VillaTheme permits unauthenticated remote attackers to invoke restricted plugin functionality without any authorization check. The vulnerability stems from missing authorization gates on plugin endpoints, classified under CWE-862, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The HAPPY plugin (CPE: cpe:2.3:a:villatheme:happy:*:*:*:*:*:*:*:*) is a WordPress helpdesk and support ticket system developed by VillaTheme. CWE-862 (Missing Authorization) indicates the plugin fails to verify whether a requesting user holds the appropriate capability or role before executing privileged operations - a pattern common in WordPress plugins where AJAX handlers or REST API endpoints register actions via wp_ajax_nopriv_ hooks or lack nonce/capability checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms these endpoints are reachable over the network without authentication or user interaction, consistent with the 'Authentication Bypass' tag reported by Patchstack. The S:U scope means the impact is confined to the plugin's own context rather than the broader WordPress installation.
RemediationAI
The primary remediation is to update the HAPPY plugin to a version above 1.0.10 via the WordPress admin dashboard or WP-CLI. The exact patched release version has not been independently confirmed from available source data - consult the WordPress plugin repository (wordpress.org/plugins/happy-helpdesk-support-ticket-system) or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-10-broken-access-control-vulnerability for the confirmed fixed release. If an immediate update is not possible, deactivating the HAPPY plugin eliminates the attack surface entirely, with the trade-off of losing helpdesk functionality. Restricting access to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) via WAF rules or IP allowlisting can reduce exposure but may also break legitimate plugin functionality and is not a substitute for patching.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31296
GHSA-mm5v-cf95-v823